1,000+ SonicSpy Apps Spread Fresh Android Spyware

An active Android-focused spyware family called SonicSpy has burst on the scene after being found lurking within 1,000 mobile apps, some found in Google Play.

Lookout Security researchers Michael Flossman found that SonicSpy can manipulate a victim's device via 73 remote instructions, including the ability to silently record audio, take photos with the camera, make outbound calls, send text messages to attacker specified numbers, and retrieve information such as call logs, contacts and information about Wi-Fi access points.

One sample of SonicSpy most recently found in Google Play is called Soniac, which is marketed as a messaging app. While Soniac does provide this functionality through a customized version of the communications app Telegram, it also contains malicious capabilities that provide an attacker with significant control over a target device.

“It's clear that the malicious actor(s) behind SonicSpy wanted the app to persist on the victim's device, so they made sure to incorporate the functionality that the end user was expecting,” Flossman said, in a blog. “This was achieved by incorporating and modifying the publicly available source code for the Telegram messenger app. Consequently, the victim would receive the expected messaging functionality, and therefore not suspect the malicious activity going on in the background.”

“Enterprises often send employees overseas for conferences, customer meetings, etc., and while traveling, employees use messaging apps to communicate with coworkers and family back home,” Flossman explained, in a separate blog. “Apps like SonicSpy capitalize on this by pretending to be trustworthy apps in well-known marketplaces.”

Analyzed samples were found to contain many similarities to SpyNote, another malware family that was first reported on in mid-2016. In the case of SpyNote, the attacker used a custom-built desktop application to inject malicious code and trojanize specific apps, so that a victim could still interact with the original, legitimate functionality.

“There are many indicators that suggest the same actor is behind the development of both,” Flossman said. “For example, both families share code similarities, regularly make use of dynamic DNS services, and run on the non-standard 2222 port.”

He added, “Due to the steady stream of SonicSpy apps it seems likely that the actors behind it are using a similar automated-build process, however their desktop tooling has not been recovered at this point in time.”